Hi, Fred, I know a lot of your readers are IT professionals, as I am myself. So I'm writing you hoping that perhaps we can get the word out among IT professionals and allow them to discuss and decide whether auto replies for E-mail are a good idea anymore.

Specifically, I'd like to mention these auto replies I'm now getting thanks to the Sobig.F virus. Many companies have E-mail filtering or their anti-virus programs set up to auto reply to a sender when they receive an E-mail carrying a virus. As most IT folks know, Sobig.F uses an E-mail from an infected PC's contact list and makes it appear as though that E-mail address is the sender or originator of the virus. My problem now isn't the Sobig virus; our filtering handles that just fine. But now my E-mail account is getting bombed with these auto replies stating that my E-mail was rejected because it contained a virus. Unfortunately, possibly someone with my E-mail address has become infected and my E-mail address is being used as the sender of the E-mailings. This auto-reply feature was a good idea when it first came out. But thanks to Sobig, now it's simply contributing to the junk traffic along the Internet lines.

I'd also like to throw in my personal take on users setting up auto-reply vacation messages on their E-mail accounts. I occasionally get calls from users asking if I can set up a vacation auto reply to their E-mail box. I respond to the requests by trying to discourage the use of auto reply simply because of spam. Auto reply is fine for a legitimate business contact, but unfortunately if a spammer gets an auto reply from an email address, it will verify that the E-mail address is a good working address and the user will likely get more spam in the future. I normally advise users to send an E-mail to all of their contacts advising them of being away instead of using the auto reply and if possible using Web mail to check their E-mail. Thanks, Fred, and I hope word gets out. My E-mail inbox will appreciate it.

-- Tim Downey

Tim is right. Auto-reply messages can cause more trouble than they prevent.

Indeed, this is especially true with worms that propagate by forging headers (inserting an innocent party's E-mail address into the "from" field of an infected message). It's annoying when it happens to a personal E-mail address, but in the case of a business that may have sent out thousands or even millions of valid E-mails to customers or contacts, the odds approach 100% certainty that the innocent business's E-mail address(s) will get picked up and re-used many, many times by a worm or virus, resulting in a torrent of "message rejected" bounce mails flooding back to choke the business's servers--even though the business did nothing wrong! The amount of system time and bandwidth wasted in processing these unnecessary, misdirected messages is truly enormous.

And, yes, even seemingly harmless vacation notices can cause similar problems, albeit on a more limited scale. In my own case, when I send out an E-mail newsletter to 160,000 subscribers, I get back a small flood of useless and unneeded out-of-office or vacation messages. They serve no purpose, and although they can be filtered, these messages still are a waste of time and bandwidth. For companies with larger mailing lists than mine, even ostensibly innocuous "away" or vacation messages will generate a ton of garbage E-mail that has to be received, filtered, and disposed of.
Then there's looping: Although some E-mail clients watch for this, it's also possible for two auto-reply robots to enter an endless loop of auto-replies replying to auto-replies!

Part of the problem is the ease with which auto-replies can be set up. In personal E-mail accounts, for example, tools like Outlook's "Out of Office Assistant" make the process seem simple, but also hide the fact that a broad-brush auto-reply is extremely crude and may even be dangerous: Ironically, people who would never consciously reply to spam mail may blithely set up an out-of-office or other auto-reply message without realizing that these messages will reply to everything that arrives in the mailbox, including spam mails trolling for live addresses.

As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.